How to magic byte validator — frequently asked questions
- Step 1Drop one file — Drag a single file onto the validator (
acceptsMultiple: false). No account or install needed on the Free tier. The bytes are read into browser memory; nothing is uploaded. - Step 2Let it read the magic bytes — file-type scans the header signature and returns the detected extension + MIME, or nothing if no signature matches (the 'unknown' case).
- Step 3Read the result card — It shows
detectedExt,detectedMime,claimedExt, plusmatches/threatDetected. Green match = bytes agree with the name; mismatch = the bytes describe a different format. - Step 4Interpret the state — Match → type consistent. Mismatch with a detected type → the bytes disagree with the label (some are benign, like OOXML→zip). Unknown → no signature matched (text-like or out-of-set), not auto-flagged.
- Step 5Act on it — Consistent type → continue. Genuine document-hiding-an-executable mismatch → treat as untrusted and sandbox. Unknown on a suspect file → inspect bytes with hex-header-inspector.
- Step 6Go deeper if needed — Chain to entropy-analyzer to test for packing/encryption, or multi-hash-fingerprinter to capture hashes. For watching a known-good file for change, use file-integrity-monitor.
Result states at a glance
Every result the validator can return and what it means. threatDetected is true only when a type was detected AND it disagrees with the claimed extension.
| State | Fields | Meaning | Typical cause |
|---|---|---|---|
| Match | matches:true, threatDetected:false | Bytes agree with the extension | Normal, untampered file |
| Mismatch (threat) | matches:false, threatDetected:true | Bytes describe a different format | Renamed file, or OOXML→zip |
| Unknown | detectedExt:null, threatDetected:false | No signature matched | Text/CSV/JSON, encrypted, or out-of-set format |
| Alias match | matches:true, threatDetected:false | Equivalent extensions | .jpeg detected as jpg, etc. |
Quick reference — capabilities and limits
What the validator does and doesn't do, and the limits that apply.
| Question | Answer |
|---|---|
| Formats detected | file-type 19.6.0 — 155 extensions / 150 MIME types |
| Where it runs | Browser (Free) + server-safe API/runner path |
| Uploads my file? | No on Free tier — bytes read in-browser only |
| Executes the file? | Never — it only reads bytes |
| Files per run | 1 (single-file) |
| Free size limit | 10 MB (Pro 100 MB / Pro-media 500 MB / Developer 2 GB) |
| Behavioural / AV scan? | No — type triage only |
| Detects polyglots fully? | No — offset-0 signature only |
Cookbook
Worked answers to the questions people ask most, with the validator output for each.
'My PDF shows as a ZIP — is it broken?'
Almost always it's an Office file (or a PDF saved with a container) and not actually a PDF. Modern .docx/.xlsx/.pptx are ZIP archives, so they detect as zip. If a real .pdf shows as zip, the file is likely a misnamed OOXML document.
File: quarterly.pdf
Header: 50 4B 03 04 ... (PK — ZIP)
Validator: { detectedExt:"zip", claimedExt:"pdf",
matches:false, threatDetected:true }
Likely an OOXML file renamed to .pdf. Open it: if it starts
with 'PK' and contains [Content_Types].xml, it's really a
Word/Excel/PowerPoint document.'What does Unknown mean?'
The header matched no signature. For a CSV that's completely normal — text formats have no magic bytes. It is NOT flagged as a threat.
File: export.csv
Header: 69 64 2C 6E 61 ... ("id,na" — text)
Validator: { detectedExt:null, detectedMime:null,
claimedExt:"csv", matches:false,
threatDetected:false }
Unknown = no signature, NOT a threat.'Is it safe to drop a suspected-malware file in?'
Yes — on the Free tier the bytes are read in browser memory and the file is never executed or uploaded. The risk is launching the file yourself, which the tool never does.
File: suspicious_invoice.pdf
Header: 4D 5A ... (MZ — Windows PE)
Validator reads bytes in-browser, no upload, no execution:
{ detectedExt:"exe", claimedExt:"pdf",
matches:false, threatDetected:true }
Safe to inspect. Do NOT double-click the file itself.'Can I check several files at once?'
The validator is single-file. Run files one at a time, or automate the server-safe API path for batches. Each run returns one result card.
UI: single file per run (acceptsMultiple: false)
For a batch, loop the API:
for f in files:
POST /v1/tools/magic-byte-validator/run
{ input: base64(f), options: { filename: f.name } }
record detectedExt + threatDetected'Why didn't it flag my renamed photo.jpg.exe?'
Because matches compares the LAST extension. photo.jpg.exe claims exe and detects exe, so they agree. The disguise is the double-extension pattern plus the executable header — not a content/label conflict.
File: photo.jpg.exe
Header: 4D 5A ...
Validator: { detectedExt:"exe", claimedExt:"exe",
matches:true, threatDetected:false }
The .jpg is decoration; claimedExt is the final segment (exe).
The red flags are the double extension + the MZ header.Edge cases and what actually happens
Does the tool upload my file?
PreservedNo on the Free tier. Detection runs in your browser via file-type; the bytes never leave your device. You can confirm in DevTools → Network — no request fires during processing. Paid tiers may opt into the local @jadapps/runner, which also processes on your machine.
PDF detected as ZIP
By designOOXML documents are ZIP archives, so a misnamed Office file (or any .docx/.xlsx/.pptx) detects as zip. This is expected behaviour, not corruption. Verify the inner archive contains the OOXML manifest to confirm what it really is.
Unknown result
UnknownText/CSV/JSON/HTML have no magic bytes; encrypted or out-of-set formats also return null. 'Unknown' is not flagged as a threat — and it's not proof of safety either. For suspect files, inspect bytes manually.
Double extension not flagged as mismatch
Expectedfile.jpg.exe claims exe (last segment) and detects exe, so matches is true. The validator is honest about type; the threat is the double-extension pattern and the executable header. Don't rely on threatDetected alone for this lure.
Forged header
LimitationA deliberately prepended valid signature makes a malicious file detect as that type and pass as a match. The validator beats renaming, not forgery. Layer it with AV and sandboxing for untrusted files.
Polyglot file
PartialDetection is offset-0 only, so a polyglot reports its first format. A payload appended after a valid header won't change the result. Treat structural oddities as sandbox candidates.
File over the size limit
413 over limitFree caps at 10 MB; a larger file throws an over-limit error before reading. Upgrade tiers or carve a header sample. The signature is in the first few hundred bytes regardless of total size.
Multiple files dropped
Single-fileThe validator processes one file per run. Drop them individually, or script the server-safe API for a batch — each run yields its own result.
Frequently asked questions
Does the tool upload my file?
No on the Free tier. Detection runs entirely in your browser using the file-type library — zero bytes are sent to any server. You can verify in Chrome DevTools → Network: no requests appear during processing. (Paid tiers can route through the local @jadapps/runner, which also keeps processing on your machine.)
How many formats does it support?
It uses file-type version 19.6.0, which covers 155 file extensions and 150 MIME types — images, archives, executables, audio, video, fonts, and document containers (PDF, OOXML). Plain text, CSV, JSON, and HTML have no magic bytes and return 'unknown'.
What does 'Unknown type' mean?
The file's header doesn't match any signature in the 155-format set. Common causes: a text-like format (CSV/TXT/JSON — no magic bytes), an encrypted or packed blob (random-looking bytes), corruption, or a proprietary format the library doesn't cover. 'Unknown' is explicitly NOT flagged as a threat.
My PDF shows as a ZIP — is it broken?
Probably not. Modern .docx, .xlsx, and .pptx files are ZIP archives, so they detect as zip. If a file named .pdf detects as zip, it's most likely an OOXML document misnamed as PDF. Open it — if it starts with PK and contains [Content_Types].xml, it's really an Office file.
Can I validate multiple files at once?
The validator is single-file (acceptsMultiple: false) — drop one at a time and read each result card. For batches, automate the server-safe API path (Developer tier), passing each file's name via the filename option.
Is it safe to test a suspected-malware file?
Yes. On the Free tier the bytes are read in browser memory and the file is never executed or uploaded. The danger in handling malware is launching it with your OS, which the validator never does. Save it without opening, then drop it in.
What does a mismatch actually mean?
That the bytes describe a different format than the extension claims (threatDetected: true). Some mismatches are benign — every .docx reports as zip. A document or image extension detecting as exe/elf is the concerning case worth sandboxing.
Why wasn't my photo.jpg.exe flagged as a mismatch?
Because the claimed extension is the LAST segment — exe — and the bytes are also exe, so they match. The disguise is the double-extension pattern plus the executable header, not a content/label conflict. Treat any *.something.exe as suspicious regardless of threatDetected.
Does it run a virus scan or behavioural analysis?
No. It identifies the file TYPE from magic bytes — it does not scan for malware signatures or run the file to observe behaviour. Use it to triage type quickly, then pass genuine mismatches to antivirus and a sandbox.
Are jpg and jpeg treated as different?
No. The validator normalises equivalents before comparing: jpeg↔jpg, htm↔html, tif↔tiff, yml↔yaml, mid→midi, mpg/mpe→mpeg, m4v→mp4, qt→mov. So a .jpeg with JPEG bytes is a clean match, not a mismatch.
What's the largest file I can check?
Free 10 MB, Pro 100 MB, Pro-media 500 MB, Developer 2 GB. The validator only needs the header, but the buffer read respects your tier cap, so very large files require a higher tier or a header sample. Most files you'd check are well under 10 MB.
Where do I go next if the validator can't answer my question?
For a hex view of the header use hex-header-inspector; to test for packing/encryption use entropy-analyzer; to capture hashes for IOCs use multi-hash-fingerprinter; to watch a known-good file for changes use file-integrity-monitor.
Privacy first
Every JAD Security operation runs entirely in your browser. Files, passwords, and PGP private keys never leave your device — verified by zero outbound network requests during processing.